Re: [Uta] 6125bis -- multiple identifiers (was security considerations)
"Salz, Rich" <rsalz@akamai.com> Wed, 06 October 2021 17:17 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24DCC3A0646 for <uta@ietfa.amsl.com>; Wed, 6 Oct 2021 10:17:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Level:
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwqSLhbfeHTl for <uta@ietfa.amsl.com>; Wed, 6 Oct 2021 10:17:53 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D397E3A05E2 for <uta@ietf.org>; Wed, 6 Oct 2021 10:17:42 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.1.2/8.16.1.2) with SMTP id 196HHKoO005578 for <uta@ietf.org>; Wed, 6 Oct 2021 18:17:41 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=0Lqz85vwcjuyB+Lx17wS16PqqEjMeKor7NvBjQQwfhs=; b=TeDX+POJLtSETQxAyxQT7f1P8JIU/Mao+0Np+PWr1sxcNKjegiIOpP910bLuiZbjUNGX YZznmzqhbyscQKZfplhCY/hHw72fGsBPWX9lE0DZy6PS1oBnclr5wHmLOXvYdCmZXlMP gy2bW31myi7batCzfWcbodYDBBF0RX4FBK64jViMX0c4uWoCehMBJ6s5IvuMTnv6XZvo 8qm4b52/9VKiQ+IjhDO4NftrdbUf74DYoXlOo1J5bW5VYMwgXxQyWH4QGvDtx80tEoYC qXMoW1o4bCIa4Q8vbcWreZZiHwWaxp0DFXzJGLcBkx1/v8stFQY9RfGj/LKYG7p8N61G Ww==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 3bh1amuwub-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <uta@ietf.org>; Wed, 06 Oct 2021 18:17:41 +0100
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 196H4R5D031586 for <uta@ietf.org>; Wed, 6 Oct 2021 10:17:40 -0700
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint5.akamai.com with ESMTP id 3bgvpj1hug-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <uta@ietf.org>; Wed, 06 Oct 2021 10:17:40 -0700
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Wed, 6 Oct 2021 13:17:39 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.023; Wed, 6 Oct 2021 13:17:39 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] 6125bis -- multiple identifiers (was security considerations)
Thread-Index: AQHXutYP8Ubut1qfYUSNdkucukwXEA==
Date: Wed, 06 Oct 2021 17:17:38 +0000
Message-ID: <FFC49E6A-D681-4B39-BA4B-518F53831F2B@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.53.21091200
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_FFC49E6AD6814B39BA4B518F53831F2Bakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-10-06_04:2021-10-06, 2021-10-06 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 suspectscore=0 adultscore=0 mlxscore=0 spamscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110060107
X-Proofpoint-ORIG-GUID: 0Vq9dazGm6llXkWdDrV3oxJDBg0FCBOO
X-Proofpoint-GUID: 0Vq9dazGm6llXkWdDrV3oxJDBg0FCBOO
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-10-06_04,2021-10-06_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 impostorscore=0 bulkscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 spamscore=0 priorityscore=1501 clxscore=1015 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110060108
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/vrFGDff-vVCp4a5Vd94xLzQca3o>
Subject: Re: [Uta] 6125bis -- multiple identifiers (was security considerations)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 17:17:58 -0000
* It started off with this discussion, but clearly, it's a much broader change. It does try and reintroduce the ALPN conversation, although with a looser 2119 fit, and trying to explain the "why" of the SHOULD, in a way directly relevant to this specification, in a way that is hopefully acceptable to mitigating the concerns previously raised. * I'm specifically proposing splitting up "Multiple Identifiers" into two discussions - "Multiple Presented Identifiers" (multiple names in certs, and concerns for server operators) and "Multiple Reference Identifiers" (multiple acceptable names to match, and concerns for client implementations) I really like your proposal. I split it off into its own pull request, https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/33. Again for this not comfortable with GitHub, here’s the new text, followed by Ryan’s comments on it. This specification allows multiple DNS-IDs, SRV-IDs, or URI-IDs in a certificate, which allows for a single application service to use the same certificate for multiple identifiers. This enables a single certificate to be used across multiple hostnames, such as when a client does not support the TLS SNI extension, or across multiple protocols, such as SMTP and HTTP, on a single hostname. The use of a single certificate and public/private keypair in such environments MAY facilitate cross-protocol attacks, particularly when used in differing TLS configurations. See, for example, {{ALPACA}}, {{DROWN}}. Server operators SHOULD take steps to mitigate the risk of cross-protocol attacks, such as ensuring all TLS endpoints using a given certificate support exactly the same TLS version(s) and ciphersuite(s), and SHOULD make use of the TLS ALPN extension to ensure the correct protocol is used. ## Multiple Reference Identifiers This specification describes how a client may construct multiple acceptable reference identifiers, and may match any of those reference identifiers with the set of presented identifiers. {{PKIX, Section 4.2.1.10}} describes a mechanism to allow CA certificates to be constrained in the set of presented identifiers that they may include within server certificates. However, these constraints only apply to the explicitly enumerated name forms. For example, a CA that is only name constrained for DNS-IDs is not constrained for SRV-IDs and URI-IDs, unless those name forms are also explicitly included within the name constraints extension. A client that constructs multiple reference identifiers of different types, such as both DNS-ID and SRV-IDs, as described in {#verify-reference-rules}, SHOULD take care to ensure that CAs issuing such certificates are appropriately constrained. This MAY take the form of local policy through agreement with the issuing CA, or MAY be enforced by the client requiring that if one form of presented identifier is constrained, such as a dNSName name constraint for DNS-IDs, then all other forms of acceptable reference identities are also constrained, such as requiring a uniformResourceIndicator name constraint for URI-IDs. * I understand this latter text may have some degree of controversy attached; one of the intended aspects of flexibility with nameConstraints was precisely that it allows new name forms to be introduced in the future, without requiring the reissuance of certificates. I've tried to balance that with the client behaviour, namely, that a client shouldn't construct a given reference identifier / allow a match for a given reference identifier unless it's constrained, _if_ it accepts other forms of constrained reference identifiers. * The canonical example here of the challenge is something like introducing support for SRV-IDs within browser clients, which would be a huge boon to reducing the risk of cross-protocol issues like ALPACA. However, clients cannot (safely) do this as long as there exist servers that are only constrained for dNSNames, without corresponding SRVName constraints. This tries to balance that, by suggesting the client should, when presented with such a constrained chain, only allow DNS-ID reference identifiers to match (because the indication that "some" constraint was intended). Reissuance of that intermediate, to also constrain SRVName, would provide the explicit signal to the client that it's acceptable (or not) to use SRV-ID reference identifiers. * This does not holistically integrate it (e.g. by adding a cross-reference to #verify-reference-rules to the security considerations), but is meant to see if there is objection/concern with this approach.